PAT Pool NAT Properties
When you configure dynamic NAT, you can define a pool of addresses to use for Port Address Translation using the properties on the PAT Pool tab.
- Enable PAT Pool
-
Select this option to configure a pool of addresses for PAT.
- PAT
-
The addresses to use for the PAT pool, one of the following:
-
Address—The object that defines the PAT pool addresses, either a network object that includes a range, or a network object group that contains hosts, ranges, or both. You cannot include subnets. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
-
Destination Interface IP—Indicates that you want to use the destination interface as the PAT address. For this option, you must select a specific Destination Interface Object; you cannot use Any as the destination interface. This is another way to implement interface PAT.
-
- Round Robin
-
To assign addresses/ports in a round-robin fashion. By default without round robin, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns one address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.
- Extended PAT Table
-
To use extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80. You cannot use this option with interface PAT or interface PAT fallback.
- Flat Port Range; Include Reserved Ports
-
To use the 1024 to 65535 port range as a single flat range when allocating TCP/UDP ports. (Pre-6.7) When choosing the mapped port number for a translation, PAT uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also check the Include Reserved Ports option. For the threat defense devices running version 6.7 or higher, the flat port range is always configured, whether you select the option or not. You can still select the Include Reserved Ports option for these systems, and that setting is honored.
- Block Allocation
-
To enable port block allocation. For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time. If you allocate a block of ports, subsequent connections from the host use new randomly selected ports within the block. If necessary, additional blocks are allocated if the host has active connections for all ports in the original block. Port blocks are allocated in the 1024-65535 range only. Port block allocation is compatible with round robin, but you cannot use it with the extended PAT or flat port range options. You also cannot use interface PAT fallback.